Blog entry by Les Bell

Les Bell
by Les Bell - Wednesday, April 12, 2023, 12:05 PM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Russian GRU Officer Doxxed

In a classic 'man bites dog' reversal of the usual order, a Ukrainian hacktivist group called Cyber Resistance has been able to hack the email of a high-ranking officer of the Russian Main Intelligence Directorate of the General Staff of the Russian Army, otherwise known as the GRU. Even 'better', he is the head of the 85th Main Special Service Center of the GRU, military unit 26165, more commonly known as APT 28, a.k.a. Fancy Bear.

APT 28 is one of the most agressive Russian threat actors, known to have run cyberattacks against government agencies and critical infrastructure in Ukraine, the US, the Netherlands, Poland, Latvia, Germany, the Czech Republic and elsewhere. Back in 2018, the US Justice Department formally indicted 12 GRU employees for breaching the email systems of the US Democratic National Committee and attempting to interfere in the 2016 US elections. Among those indicted is the victim of this breach: Lieutenant Colonel Sergey Alexandrovich Morgachev.


(Image credit: Cyber Resistance / InformNapalm)

Among the emails retrieved by the hackers was one from Apple, warning Morgachev that the FBI had requested, and been granted, information regarding his Apple account. The Cyber Resistance hackers were also able to obtain his address details, his passport, the registration of his car (a Toyota RAV4) as well as his employment records, such as a medical certificate required for his security clearance. All of this was passed to the InformNapalm site, which has published it.

Uncredited, Hacked: Russian GRU officer wanted by the FBI, leader of the hacker group APT 28, news article, 10 April 2023. Available online at https://informnapalm.org/en/hacked-russian-gru-officer/.

It's That Day of the Month Again

It's Patchday again - that day when we install a large batch of Windows patches and reboot.

This month, the Windows 11 KB5025239 cumulative update contains fixes for 97 vulnerabilities in various Microsoft products. Key among these is a fix for CVE-2023-28252, a privilege escalation vulnerability in the Windows Common Log File System (CLFS) Driver, which the Cybersecurity & Infrastructure Security Agency has today added to its Known Exploited Vulnerabilities Catalog. The vulnerability is being exploited in ransomware attacks.

The update also adds a number of other fixes and enhancements.

Microsoft Security Response Center, April 2023 Security Updates, web page, 11 April 2023. Available online at https://msrc.microsoft.com/update-guide/releaseNote/2023-Apr.

CISA, CISA Adds One Known Exploited Vulnerability to Catalog, alert, 11 April 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/04/11/cisa-adds-one-known-exploited-vulnerability-catalog.

Guidance for Dealing with BlackLotus

Microsoft has also provided a step-by-step guide for organizations investigating whether users have been targeted by threat actors exploiting CVE-2022-21894 using the UEFI (Unified Extensible Firmware Interface) bootkit, BlackLotus. This bootkit is able to bypass the Windows Secure Boot process and deploy malware files to the EFI System Partition.

Microsoft Security, Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign, blog post, 11 April 2023. Available online at https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/.

Fortinet Product Vulnerability Advisories

Fortiguard Labs has released its monthly Vulnerability Advisories for a range of Fortinet products. Perhaps the most significant is one which allows remote unpassworded access to the redis and mongodb subsystems in FortiPresence, and which rates a CVSS score of 9.3. However, a wide range of products also make the list, including FortiOS and FortiProxy, FortiSandbox/FortiDeceptor, FortiClient for both Windows and Mac, FortiADC, FortiAnalyzer and others.

Uncredited, April 2023 Vulnerability Advisories, PSIRT monthly advisory, April 2023. Available online at https://www.fortiguard.com/psirt-monthly-advisory/april-2023-vulnerability-advisories.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: